Banks disclose IT outage rates

15 April 2019

UK banks currently suffer an average of one major IT outage per month, according to figures published under new reporting requirements.

UK banks are already required to notify the Financial Conduct Authority (FCA) of any major operational or security incident that prevents customers from using their services. However, banks were recently required to publish details of security incidents and IT outages on their websites.

Analysis of the figures by the BBC showed that most major high street banks suffered more than ten shutdowns in the last nine months of 2018. One major bank had over 41 incidents between April and December 2018, while another had 37.

The FCA previously revealed that the frequency of IT outages for UK financial institutions had doubled, with some institutions demonstrating worrying weaknesses in their cyber resilience.

A resilience study found that the number of technology outages reported to the UK financial services regulator increased by 138% between October 2017 and September 2018.

Of the 646 technology and cyber incidents reported to the FCA, 79% were related to technology and 18% were cyber.

Banks disclose IT outage ratesRegulatory scrutiny

Last year, the FCA announced plans to increase its focus on cyber-related business interruption, with plans to bolster the cyber resilience of financial services firms through a number of measures.

In July, UK regulators set out their thinking on cyber related operational resilience in Discussion Paper (DP01/18).

The paper, published jointly by the Bank of England (BoE), the Prudential Regulation Authority (PRA), and the FCA, proposed new regulatory requirements aimed at making the country’s banks, insurers, and asset managers more resilient to technology related service disruption; such as a major IT outage, an outsourcing failure, or a major cyber-attack.

The regulation would require firms to plan for the continuity of services and demonstrate to the regulator that they have the appropriate plans in place to ensure their operational cyber resilience.

This change could see the regulator set tolerances and minimum service standards, with regards to business continuity and the restitution of banking services following a cyber attack or technology incident.

The FCA has yet to finalise its cyber resilience standards, but they would undoubtedly have cyber insurance implications.

Service standards imposed by the regulator would provide a benchmark for business interruption losses and compensation payments for customers. This could offer greater clarity around the cost of system outages and shape insurers’ loss expectations.

Building resilience

The increased focus on operational resilience followed a string of outages in 2018, most notably major disruption for customers at a retail and commercial bank after a problematic IT platform migration.

A number of other banks have experienced disruption to services or payment systems, while an American multinational financial services payment system was hit by a partial service outage in 2018.

A UK bank recently announced plans to pilot cyber stress tests in 2019, which would measure their cyber resilience and recovery speed from a cyber attack. In December, the European Central Bank published its cyber resilience oversight expectations, while the Basel Committee on Banking Supervision published their report on cyber resilience practices.

The FCA also published a document bringing together industry insights on cyber resilience in March 2019. The Cyber Security – Industry Insights report makes a series of recommendations to build cyber resilience, while emphasising the need for preparation.

“Incidents will occur. The ability to respond and recover from them should be a key part of a business’ risk management and operational resilience planning.

Resuming critical business services rapidly and with accurate data requires continuity planning and testing of plausible cyber-attack scenarios. Exercising people, processes and technology is a key aspect of response and recovery planning,” the FCA says.

For more articles like this, download our Cyber Decoder
Cyber Learn more about cyber insurance solutions and risk management >>

Sarah StephensTALK TO AN EXPERT

If you would like to talk about any of the issues raised in this article, please contact Sarah Stephens, Head of Cyber on
+44 (0)20 3394 0486.

As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

View our latest cyber videos here